Search CSRC

Abstract: Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, 12 May 2021, directs the National Institute of Standards and Technology (NIST) to recommend minimum standards for software testing within 60 days. This document describes eleven recommendations for software verification techniques as...

Abstract: Hotels have become targets for malicious actors wishing to exfiltrate sensitive data, deliver malware, or profit from undetected fraud. Property management systems, which are central to hotel operations, present attractive attack surfaces. This example implementation strives to increase the cybersec...

Abstract: This report provides a summary of the discussion and findings from the NIST Cybersecurity Risks in Consumer Home Internet of Things (IoT) Devices virtual workshop in October 2020. NIST Interagency Report (NISTIR) 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, and NISTIR 82...

Conference: The 13th International Conference on Security Privacy and Anonymity in Computation Communication Abstract: Interrelated computing device's system such as IoT, RFID, or edge device's systems are pervasively equipped for today's information application and service systems, protecting them from unauthorized access i.e. safety is critical, because a breach from the device may cause cascading effects resultin...

Journal: Journal of Cybersecurity Abstract: As organizations continue to invest in phishing awareness training programs, many chief information security officers (CISOs) are concerned when their training exercise click rates are high or variable, as they must justify training budgets to organization officials who question the efficacy of awar...

Abstract: Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zer...

Abstract: Internet Protocol Security (IPsec) is a widely used network layer security control for protecting communications. IPsec is a framework of open standards for ensuring private communications over Internet Protocol (IP) networks. IPsec configuration is usually performed using the Internet Key Exchange...

Conference: 2020 IEEE Conference on Communications and Network Security (CNS) Abstract: Advanced persistent threats (APT) have increased in recent times as a result of the rise in interest by nation-states and sophisticated corporations to obtain high profile information. Typically, APT attacks are more challenging to detect since they leverage zero-day attacks and commonly used benign...

Abstract: This NIST Cybersecurity Practice Guide shows large and medium enterprises how to employ a formal TLS certificate management program to address certificate-based risks and challenges. It describes the TLS certificate management challenges faced by organizations; provides recommended best practices fo...

Abstract: This Recommendation provides cryptographic key-management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material, including definitions of the security services that may be provided when using cryptography and the...

Abstract: Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure the software being developed is well secured. This white paper recommends a core set of high-level secure s...

Conference: Workshop on Usable Security (USEC) 2019 Abstract: As organizations continue to invest in phishing awareness training programs, many Chief Information Security Officers (CISOs) are concerned when their training exercise click rates are high or variable, as they must justify training budgets to those who question the efficacy of training when click r...

Abstract: The Interagency International Cybersecurity Standardization Working Group (IICS WG) was established in December 2015 by the National Security Council’s Cyber Interagency Policy Committee. Its purpose is to coordinate on major issues in international cybersecurity standardization and thereby enhance...

Journal: Journal of the National Institute of Standards and Technology Abstract: Baseline Tailor is an innovative web application for users of the National Institute of Standards and Technology (NIST) Cybersecurity Framework and Special Publication (SP) 800-53. Baseline Tailor makes the information in these widely referenced publications easily accessible to both security profes...

Abstract: This publication describes a voluntary risk management framework (“the Framework”) that consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience...

Conference: 23rd Annual International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2017 Abstract: At CRYPTO 2015, Minaud and Seurin introduced and studied the iterated random permutation problem, which is to distinguish the r-th iterate of a random permutation from a random permutation. In this paper, we study the closely related iterated random functionproblem, and prov...

Journal: Information & Computer Security Abstract: PurposeThe purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect information system security, such complexity does not have to mean ambiguity for users. While many aspects of passwords ha...

Conference: NDSS Symposium 2017 Abstract: Online security experiences, perceptions, and behaviors are key to understanding users security practices. Users express that they are concerned about online security, but they also express frustration in navigating the often confusing and mentally taxing cybersecurity world. Thi...

Abstract: This bulletin summarized the information presented in NISTIR 8151: Dramatically Reducing Software Vulnerabilities: Report to the White House Office of Science and Technology Policy. The publication starts by describing well known security risks and presents a list of specific technical approaches th...

Conference: 2015 Annual Meeting of the Human Factors and Ergonomics Society Abstract: Passwords are tightly interwoven with the digital fabric of our current society. Unfortunately, passwords that provide better security generally tend to be more complex, both in length and composition. Complex passwords are problematic both cognitively and motorically, leading to both memory and mot...

Abstract: Mobile devices pose a unique set of threats, yet typical enterprise protections fail to address the larger picture. In order to fully address the threats presented by mobile devices, a wider view of the mobile security ecosystem is necessary. This document discusses the Mobile Threat Catalogue, whic...

In: Cloud Computing Security: Foundations and Challenges Abstract: This chapter discusses the risk management for a cloud-based information system viewed from the cloud consumer perspective.

Journal: IEEE Cloud Computing Magazine Abstract: Organizations often struggle to capture the necessary functional capabilities for each cloud-based solution adopted for their information systems. Identifying, defining, selecting, and prioritizing these functional capabilities and the security components that implement and enforce them is surprisin...

Journal: IEEE Cloud Computing Abstract: Economies of scale, cutting-edge technology advancements, and higher concentration of expertise enable cloud providers to offer state-of-the-art cloud ecosystems that are resilient, self-regenerating, and secure--far more secure than the environments of consumers who manage their own systems. This h...

Conference: 3rd International Conference on Human Aspects of Information Security, Privacy and Trust Abstract: The current work examines subjective password usability across platforms—desktop, smartphone, and tablet—using system-generated passwords that adhere to the stricter password requirements found in higher-security enterprise environments. This research builds upon a series of studies at the United St...